How to block incoming/outgoing network access for a single user using iptables?

Why this post?

Hmm… Every SysAdmin, who love to play with Linux iptables must know, how iptables deal networking for a single user. You need to dig more on Linux iptables to get this option. Yeah, it’s possible!! Linux iptables has a special module to deal with this operation. This iptables module is called “owner” (ipt_owner).

Before starting, you must have the basics of iptables.. Please read the post added below to get a clear intro on Linux iptables:

What is iptables in Linux?

We can call, it’s the basics of Firewall for Linux. Iptables is a rule based firewall system and it is normally pre-installed on a Unix operating system which is controlling the incoming and outgoing packets. By-default the iptables is running without any rules, we can create, add, edit rules into it. Read More……

The module owner

This iptables module will attempt to match various characteristics of the packet creator, for locally generated packets. Not the point, it can only manage outgoing network access for a single user.

If someone ask you about “How you block all connections to a port for a process running under a user on the server?” or “How to block all incoming connections for a particular user?” by using iptables, you can answer “It Won’t Possible.” (Using, the by-default ipt_owner module)

How To Block Outgoing Network Access For a Single User Using Iptables?

This option in iptables is very useful, if you want to block outgoing network activities for a particular user account on your Linux server/system. Here you can use owner module to match user and block all outgoing traffic for that user.

Scenario 1:

Consider this scenario, if you want to block all outgoing connections from a user “crybit” on the server, we can simply create an OUTPUT chain rule to do so.

See the rules and examples pasted below:

Syntax

iptables -A OUTPUT -o ethX -m owner --uid-owner {user name} -j DROP

I am guessing you are familiar with the commonly using iptables switches. Here, we have to use the following switches to define owner details.

-m owner : To define owner with the help of –uid-owner–uid-owner {user name} : Matches if the packet was created by a process with the given effective username.

You can use any jump (j) option like, DROP, REJECT etc as you wish…

It also support the following switches:

--gid-owner (groupid) : Matches if the packet was created by a process with the given effective group id.
--pid-owner (process id) : Matches if the packet was created by a process with the given process id.
--sid-owner (session id) : Matches if the packet was created by a process in the given session group.
--cmd-owner (name) : Matches if the packet was created by a process with the given command name. [Not supported in latest iptables]

Scenario 2:

You can also block out going network activity for system defined users. Consider this scenario, if you want to block all outgoing network connections for Apache user. This can block someone downloading code into your server using wget or any other tools.

Check the user name for Apache server and add it to the rule using “-m owner –uid-owner” switch.

Don’t forget to allow email ports, 25,143,110 so that emails can work properly.